How to add SSL cert to asp.net core docker swarm + letsencrypt?

Question

I have an asp.net core app running on Docker Swarm, what is an efficient way to add SSL capabilities to the app and have the cert update itself through letsencrypt and certbot?

I know about Docker Swarm Secrets, but they are immutable so I can't just change the secret when the cert is updated.

Answer 1

Here is the solution that I came up with! Feel free to chip in with ideas to make it better :)

[Sorry about the formatting, I couldn't get it to do what I wanted]

1. I set up a certbot deployment on one of the Docker Swarm hosts and got the cert for the correct domain as well as setup certbot to automatically request new certs when available.

2. Update your app with a few necessities for using certs:

   docker service update <yourswarmapp> --env-add Kestrel__Certificates__Default__Password="cert-password" --env-add Kestrel__Certificates__Default__Path=/run/secrets/defaultcert
   --env-add ASPNETCORE_URLS="https://;"
   

3. Install this bash script on your machine to run daily from a root cronjob. (Make sure to set your own domain and passwords)

   SecretName=$(date +%Y-%m-%d)

   OldSecretName=$(date --date yesterday +%Y-%m-%d)

   DomainName=your.domain

   AppName=yourswarmapp

   cd /etc

   cd letsencrypt

   cd live

   cd $DomainName

   openssl pkcs12 -export -out ${DomainName}.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passin pass: -passout pass:

   sudo docker secret create $SecretName /etc/letsencrypt/archive/$DomainName/${DomainName}.pfx

   sudo docker service update --secret-add $SecretName --secret-rm $OldSecretName --env-add Kestrel__Certificates__Default__Path=/run/secrets/$SecretName $AppName

   sudo docker secret rm $OldSecretName

4. Sit back and enjoy your automatically updating and cleaning SSL enabled app.